06/09/260612:28 FAX 216 696 8731 



AMIN, & TUROCY LLP. 



@002 



10/691,999 MS306808.01/MSFTP535US 



Amendments to the Claims 
This listing of claims -will replace all prior versions of claims in the application: 
Listing of Claims: 

1 . (Currently amended) A computer-implemented data security system that facilitates 
securing a data item, comprising: 

a data store that includes at least one hierarchical data structure that comprises a plurality 
of data items; and 

a security component that automatically applies at least one of a plurality ofarfes* 
security polky policies to at least a first subsection of the data store based at least in part upon 
detection of type of the at least one hierarchical data structure, and at lonnt n rwnTiH Tinrinnt 
s e curity policy to at least a s e cond disparate subs e ction of th e data store* 

2. (Currently amended) The system of claim 1 , the at least one hierarchical data structure is 
at least one of a tree structure and a containment hierarchy. 

3. (Original) The system of claim 2, the containment hierarchy is modeled as a Directed 
Acyclic Graph (DAG). 

4. (Cancelled) 

5 . (Currently amended) The system of claim 1 , the at least one £rst and s econd security 
polioioa ore policy is at least one of mapped from within the data store,, and mapped from outside 
the data store- 

6. (Currently amended) The system of claim 1, the at least one first and second security 
policies ar e policy is at least one of explicitly mapped to an item and inherited by an item. 
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7. (Original) The system of claim 1, the security component includes an Access Control List 
having one or more Access Control Entries. 

8. (Currently amended) The system of claim 7, the Access Control List con bo is associated 
with a holding relationship of a containment hierarchy. 

9. (Currently amended) The system of claim 8, further comprising a plurality of Access 
Control Lists that describe discretionary access rights for an item within to facilitat e s e curity for 
the containment hierarchy. 

1 0. (Original) The system of claim 1 3 the security component specifies a set of principals that 
are granted or denied access to perform operations on an item. 

1 1 . (Original) The system of claim 1 , the security component includes at least one of 
discretionary access control list, a system access control list, and a security identifier. 

12. (Original) The system of claim 1 5 further comprising an ordering component that 
arranges one or more Access Control Entries (ACE) in an Access Control List (ACL) to 
determine a security policy that is enforced for an item. 
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1 3 . (Currently amended) The system of claim 12, further comprising utilization of the 
following ordering algorithm by the security component : 

For inherited ACL's (L) on data item (I) 

For items II, 12 

For ACE'S Al and A2 in L, 

U is an ancestor of 12 and 

12 is an ancestor of 13 and 

Al is an ACE inherited from II and 

A2 is an ACE inherited from 12 

Implies 

A2 precedes Al in L, 
wherein L and I are integers. 

14. (Currently amended) The system of claim 12, further comprising utilization of the 
following ordering algorithm bv the security component : 

For inherited ACL's (L) on data item (I) 
For items II 

For ACE's Al and A2 in L, 

II is an ancestor of 12 and 

Al is an ACCESS_DENIED_ACE inherited from II and 
A2 is an ACCESS_GRANTED_ACE inherited from II 

Implies 

Al precedes A2 in L, 
wherein L and I are integers. 

15. (Previously presented) The system of claim 12, further comprising a component that 
evaluates access rights for a given principal to a given data item. 

16. (Original) The system of claim 1, the security component further comprises an effective 
access control list that is obtained by processing lists inherited by an item and adding inheritable 
access control entries in an explicit access control list 
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17. (Original) The system of claim 1 , the security component further comprises an access 
mask specifying at least one of object-specific access rights, standard access rights, and generic 
access rights. 

1 8. (Original) The system of claim 1 , further comprising a security table for similarly 
protected security regions. 

19. (Currently amended) The system of claim 18, the security table includes at least one of 
the following fields: an Item Identity, an Item Ordpath, an Explicit Item, a Path ACL, and a 
Region ACL. 

20. (Previously presented) The system of claim 1, further comprising a component that does 
at least one of create a new item in a container, add an explicit ACL to an item, add a holding 
link to an item, delete a holding link from an item, delete an explicit ACL from an item and 
modify an ACL associated with an item, 

21. (Original) A computer readable medium having computer readable instructions stored 
thereon for implementing the security component of claim 1. 

22. (Currently amended) A computer-implemented method to facilitate data item security, 
comprising: 

defining at least one first and second variant security policies policy for a data store that 
includes at least one hierarchical data structure containing a plurality of data items; 

defining at least one first and second disparate security r e gions region for the data store 
including the at least one hierarchical data structure; and 

applying automatically mapping the at least first one security policy to the at least Sfst 
one security region and th e at l e ast second security polioy to tho at least s e cond socurity region 
associated with the» data store including tho at least one hierarchical data structur e based at least 
in part upo n determi ning type of the hierarchical data structure . 
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23. (Original) The method of claim 22, further comprising automatically supporting at least 
one explicit and inherited security policy. 

24. (Original) The method of claim 22, further comprising automatically ordering security 
policies. 

25. (Original) The method of claim 22, further comprising processing security policies for at 
least one of a tree structure and a containment hierarchy. 

26. (Original) The method of claim 22, further comprising mapping a security policy to a 
security region from a remote location from a database. 

27. (Currently amended) The method of claim 22, the at least &st one and oooond security 
polici e s policy is [[are]] associated with an Access Control List having one or more Access 
Control Entries. 

28. (Original) The method of claim 27 3 further comprising automatically arranging one or 
more Access Control Entries in the Access Control List to determine a security policy that is 
enforced for an item. 

29. (Currently amended) A computer-implemented system that facilitates database security 
processing, comprising: 

means for defining a fifst security policy; and one or - more disparat e second security 
polici e s; 

means for detennining a Sfst security region for the &st security policy and ono or more 
s e cond security regions for the ono or more s e cond scourity policies ; and 

means for automatically applying the first and one or mor o second security policies 
PQlicv to a data store based at least in part upon detecting whether the data store containing 
comprises at l e ast one of a tree structure and a containment hierarchy^ in aooordance with the 
first and ono or more s e cond scourity regions. 
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30. (Currently amended) A computer readable medium having a data structure stored 
thereon, comprising: 

a first data field r e lat e d to that describes a at l e ast firu t and second disparat e? security 
regions region associated with a data s t ore containing at least one hierarchical data structure; 

a second data field that rolatoa to describes a at least first and s e cond security policy 
polici e s ; and 

a third data field that maps the tiafa th e at l e ast first security policy to the at least first 
security region based at lea st in part upon determining type of hierarchical data structure that is 
employed, and the at - looflt second s e curity policy to th e at l e ast s e cond security r e gion. 

3 1 . (Currently amended) The computer readable medium of claim 30, further comprising a 
field that comprises [[for]] an access mask specifying at least one of object-specific access rights, 
standard access rights, and generic access rights. 

32. (Currently amended) The computer readable medium of claim 30, further comprising a 
security field that comprises [[for]] similarly protected security regions. 

33 . (Previously presented) The computer readable medium of claim 32, the security field 
includes at least one of an Item Identity, an Item Ordpath, an Explicit Item, a Path ACL, and a 
Region ACL. 
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